Donghong Sun,Xuefeng Li,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/ctc.2010.16

2010-01-01

Abstract:A widespread botnet is often used to carry cyber attacks, which results in serious threats to networks and properties. The application of combining botnets and P2P technology is powerful but complicated. This paper shows the differences of control mechanisms, running functions and working performance between central-controlled botnets and P2P-conctrolled botnets by analysis of several famous botnets. Futher more, This paper also reseaches on Command-and- Control (C&C) mechanism which works as the core component of botnets' architecture, giving out the definition and evaluation parameters of this mechanism, finally proposing a new architecture. It is useful to finding vulnerabilities of P2P botnets and guiding defenders to design effective detection and defending methods.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

陈端兵,万英,田军伟,傅彦

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.06.026

2009-01-01

Computer Science

Abstract:A P2P botnet control strategy based on social network analysis was designed.The strategy includes two aspects:the first is to mine and protect the key nodes and bridge nodes in the P2P botnet;the other is to detect communities in the network and survey the key edges between communities.Experimental results show that the strategy proposed in this paper could mine the key nodes,bridge nodes and key edges precisely.Precision of bridge nodes and key edges mining is 95% and 93%,respectively.The propagation of botnet virus and hackers' attacking commands could be controlled effectively by the strategy proposed in this paper.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.1709.06440

2017-09-19

Cryptography and Security

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.

Junfeng Yu,Zhitang Li,Jun Hu,Feng Liu,Lingyun Zhou

DOI: https://doi.org/10.1109/nswctc.2009.289

2009-01-01

Abstract:Due to the steady evolution and increase in sophistication of peer to peer botnets, it is necessary to understand the structural potential in this type of intruder tool. We formally model the P2P botnets with the help of complex systems. We propose metrics to measure the structural potential of different types of P2P botnets. We also propose a simulative framework to investigate the robustness of P2P botnets in face of various targeted response. In particular, We have shown that naive defenses don’t work. Simply randomly remove infected nodes does not slow down the attacker much, regardless of whether the connectivity between peer bots follows a random or scale-free pattern. We found that the degree based response on P2P botnets offer best approach. Our works also show that the simulation approach revealed some invariant properties of the P2P botnets and open an insight about functional aspects of their topology in terms of robustness and communication efficiency.

Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Jia Yan,Lingyun Ying,Yi Yang,Purui Su,Qi Li,Hui Kong,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-11698-3_10

2014-01-01

Abstract:Botnet armed with P2P protocol is especially robust against various attacks used to be very effective against centralized network. It's especially significant to enhance our understanding of unstructured P2P Botnets which prove to be resilient against various dismantle efforts. Node injection technique is quite effective in enumerating infected hosts from P2P Botnets, but no previous work has investigated the effectiveness of this method in a quantitative manner. In this paper, we propose a peer popularity boosting algorithm to put the popularity of injected peer under control, and a method to tune the node injection rate to achieve better compromise between consumed bandwidth and completeness of node enumeration. Furthermore, we evaluate our methods with varied level of node injections on three live P2P Botnets, the result shows that our method is quite effective in boosting and manipulating injected peer's popularity. In contrast to other methods without manipulation of injected peer's magnitude of dispersion in network, our method not only unlock the full potential of node injections, but also could be adapted to measurements of various needs.

DONG Kai-kun,LIU Yang,GUO Li,DONG Lan

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.04.019

2008-01-01

Abstract:Botnet is one of the most serious threats to the security of the Internet nowadays.As compared with IRC Botnets, the control of P2P Botnets is more secure, robust and stealthy. The working principles for typical P2P Botnets are presented.And then the methods for peer discovery of P2P Botnets are classified, and their weak points are analyzed respectively. Based on the analysis, the methods for detecting P2P Botnets are given.

P. Barford,Y. Chen,A. Goyal,Z. Li,V. Paxson,V. Yegneswaran

DOI: https://doi.org/10.1007/978-1-4419-0140-8_5

2010-01-01

Abstract:Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one's network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing "situational awareness." We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet "events", and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer-using purely local observation-in format ion about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective Situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.

Jiabin Li,Zhi Xue

DOI: https://doi.org/10.1109/cais.2019.8769511

2019-01-01

Abstract:Botnet has been evolving over time since its birth. Nowadays, P2P (Peer-to-Peer) botnet has become a main threat to cyberspace security, owing to its strong concealment and easy expansibility. In order to effectively detect P2P botnet, researchers often focus on the analysis of network traffic. For the sake of enriching P2P botnet detection methods, the author puts forward a new sight of applying distributed threat intelligence sharing system to P2P botnet detection. This system aims to fight against distributed botnet by using distributed methods itself, and then to detect botnet in real time. To fulfill the goal of botnet detection, there are 3 important parts: the threat intelligence sharing and evaluating system, the BAV quantitative TI model, and the AHP and HMM based analysis algorithm. Theoretically, this method should work on different types of distributed cyber threat besides P2P botnet.

Yue Shi,Yingying Zhang

DOI: https://doi.org/10.1145/3617184.3618056

2023-09-22

Abstract:Honeypot is an active security defense technology that uses false information to lure attackers into attacking and record their behavior. Traditional honeypots are usually static, and inherent features and services can accelerate attackers' recognition of honeypots, causing them to lose value. We designs a dynamic honeypot based on machine learning, which can adapt to dynamic and constantly changing network environments while improving the authenticity of the honeypot. It automatically generates configuration files, simulates the characteristics and behavior of devices in the network. The method proposed is to achieve active monitoring and defense of network attacks by actively scanning Nmap and obtaining network device information through P0f, and combining feature clustering methods to classify devices and generate honeypot configuration files, active monitoring and defense of network attacks can be achieved. The results shows that this methods can effectively enhance the attack capture ability and camouflage ability of honeypots.

Computer Science

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Fei Chen,Mingli Wang,Yan Fu,Jinquan Zeng

DOI: https://doi.org/10.1109/wicom.2009.5302674

2009-01-01

Abstract:Nowadays, Peer-to-Peer controlled (P2P-controlled) bots became an increasing threat to our network. Compared with traditional bots which rely on Internet Relay Chat (IRC) server, P2P-controlled bots spread much faster and construct the botnets with better robustness. The infected machine can be remotely controlled by the attacker to perform some malicious activities such as Distributed Denial of Service (DDoS) or email spamming. However, few bots detection techniques, especially aiming at P2Pcontrolled bots, have been developed to date. In this paper, we proposed a general way to detect P2P-controlled bots on the host. Our approach combines detections of malicious behaviors and P2P communication together. API function calls and P2P traffics generated by a specific bot are monitored dynamically during the specific time-window to achieve the detection. We perform a range of experiments with different dataset. The results show that our approach is effective to detect P2P-controlled bots on the host.

Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1712.03455

2017-12-10

Abstract:The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.

Cryptography and Security,Networking and Internet Architecture

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Li Sheng,Liu Zhiming,He Jin,Deng Gaoming,Huang Wen

DOI: https://doi.org/10.1109/IMCCC.2012.36

2012-01-01

Abstract:Bonnet is extremely harmful to computer network security which could cause many network attacks(like spam, DDoS, phishing etc). In this paper, we design a distributed Bonnet detecting approach based on network traffic analysis. A botnet detection framework is proposed, which composed of two sections: Data Collection and Filter, Bonnet Detection and Identify. The first section is deployed in distributed hosts in order to capture network traffic data, filter data and classify data. The second section is deployed in centralized place which collectes all data from distributed hosts and detected the botnet using data amalgamation algorithms and characteristic identified algorithms. The detecting approach works efficiently and can detect botnet in the experiment environment.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Riaz Ullah Khan,Rajesh Kumar,Mamoun Alazab,Xiaosong Zhang

DOI: https://doi.org/10.1109/ccc.2019.00008

2019-01-01

Abstract:The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

Xuefeng Li,Haixin Duan,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/icgcs.2010.5543027

2010-01-01

Abstract:Nowadays Botnets have been identified as one of the most serious threats to network security, especially the peer-to-peer (P2P)based Botnets. Security experts destroy the botnets by target-attacking the weaknesses of high degree nodes or high betweens edges of the botnets. To make this work, the security experts need to know the features of the topology of botnets. But, topics such as how botnets' topology is formed and what the features of botnets' topology are are rarely studied up to now. Inspired by the method of complex network, we propose the growing model of botnets to try to resolve these questions. As far as we know, the growing model of Botnets has not been studied. Here, we focuse on the network metrics of Botnets, present a growing model of Botnets and discusse the performance of Botnets when their topology construction parameters change.